Whether a person can sue only for the first time their data is collected or disclosed without consent in violation of the Biometric Information Privacy Act (“BIPA”).
The Illinois Biometric Information Privacy Act was enacted to protect against unique risks involved in collecting, storing, using, and disclosing biometric data. The Illinois Supreme Court in Rosenbach v. Six Flags declared that individuals can sue whenever their BIPA rights are violated. But White Castle, which faces a class action lawsuit from longtime employees who allege that the company collected and disclosed their biometric data for over a decade without the BIPA-required consents, has turned to the U.S. Circuit Court for the Seventh Circuit to essentially overrule Rosenbach and instead limit BIPA suits to the first time an individual’s biometrics are collected or disclosed without consent. This rule contradicts the very clear directives of the Illinois Supreme Court, purposely confuses a matter of state law (statutory injury) with a federal standard (Article III injury), and would let longtime BIPA offenders off the hook simply because they started (but didn’t stop) violating the law years ago. The result would be a perverse incentive structure that would discourage companies from complying with BIPA if they violate the law once and institute the same penalties for companies that repeatedly violate the law and those that have a one-time lapse in compliance.
Latrina Cothron has worked as a manager at White Castle since 2004. About three years into her employment, White Castle required her to submit her fingerprint to access computers and her paystub at work. Cothron alleges that White Castle did not receive BIPA-required consent to collect or disclose her fingerprints at first because BIPA did not exist. BIPA was passed in 2008, but White Castle continued to collect and disclose Cothron’s fingerprint without consent until October 2018, when the company finally provided the necessary disclosures and sought consent. Cothron filed a lawsuit against White Castle two months later in December 2018.
BIPA is an Illinois statute that protects against unlimited collection, retention, use, and disclosure of biometric information. Companies that wish to use biometrics must disclose the term and purpose for which they plan to collect, store, and use an individual’s biometric data and obtain consent from the individual. Companies must also obtain consent to disclose biometrics it collects to a third party.
In Rosenbach v. Six Flags, the Illinois Supreme Court declared that individuals can sue whenever a company violates their BIPA rights—they need not allege any additional harm, like identity theft. Determining when and for what violations an individual can sue is thus simple: if the terms of the statute are violated, an individual has a legal claim and can sue.
Federal courts interpreting Spokeo v. Robins often use a different test to determine whether a federal court can hear a lawsuit under Article III of the constitution. Under this test, courts look beyond the plain language of the statute to the purposes underlying the statute to determine whether the law protects a concrete legal interest (and, sometimes, whether the specific violation actually caused harm to this legal interest).
The statute of limitations on a claim begin to run when an individual suffers a legal injury. Statutes of limitations are supposed to encourage those whose legal rights have been violated to bring claims while the factual record is most likely to be intact, and to prevent potential defendants from being dragged into court for stale allegations. The applicable statute of limitations for BIPA claims is currently being litigated in Illinois state court.
Cothron filed a lawsuit against White Castle in 2008. The case wound up in federal court. White Castle then filed a motion for judgment on the pleadings, arguing that individuals are only injured by a BIPA violation the first time a company collects or discloses their biometric data without consent. White Castle argued that the BIPA provisions protect individuals from “loss of control” of their biometric data. Because an individual “loses control” of their biometrics the first time they are collected or disclosed without consent, individuals can only sue for the first violation of BIPA. Because the first time White Castle violated BIPA was immediately after it was enacted in 2008, the statute of limitations has run, and Cothron (nor anyone else in her position) can sue for White Castle’s violation of their BIPA rights—even though White Castle continued to collect and disclose their biometrics without consent for ten years after BIPA was passed.
The district court denied White Castle’s motion. The district court read Rosenbach to recognize that an individual is injured anytime their BIPA rights are violated, and by the plain language of the statute White Castle is alleged to have collected and disclosed Cothron’s fingerprints thousands of time in over a decade. The district court nevertheless certified the question to the U.S. District Court for the Seventh Circuit, which will now either hear the case or certify the question to the Illinois Supreme Court.